Files
linux-stable-mirror/scripts/Makefile.modinst
T
Mikhail MalyshevandGreg Kroah-Hartman 614b89e41b kbuild: Use objtree for module signing key path
[ Upstream commit af61da281f ]

When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
module signing fails because the private key path uses $(srctree)
while the public key path uses $(objtree). Since signing keys are
generated in the build directory during kernel compilation, both
paths should use $(objtree) for consistency.

This causes SSL errors like:
  SSL error:02001002:system library:fopen:No such file or directory
  sign-file: /kernel-src/certs/signing_key.pem

The issue occurs because:
- sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
- cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)

But both keys are generated in $(objtree) during the build.

This complements commit 25ff08aa43 ("kbuild: Fix signing issue for
external modules") which fixed the scripts path and public key path,
but missed the private key path inconsistency.

Fixes out-of-tree module signing for configurations with separate
source and build directories (e.g., O=/kernel-out).

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251015163452.3754286-1-mike.malyshev@gmail.com
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2026-01-11 15:18:40 +01:00

119 lines
2.6 KiB
Makefile

# SPDX-License-Identifier: GPL-2.0
# ==========================================================================
# Installing modules
# ==========================================================================
PHONY := __modinst
__modinst:
include include/config/auto.conf
include $(srctree)/scripts/Kbuild.include
modules := $(sort $(shell cat $(MODORDER)))
ifeq ($(KBUILD_EXTMOD),)
dst := $(MODLIB)/kernel
else
INSTALL_MOD_DIR ?= extra
dst := $(MODLIB)/$(INSTALL_MOD_DIR)
endif
$(foreach x, % :, $(if $(findstring $x, $(dst)), \
$(error module installation path cannot contain '$x')))
suffix-y :=
suffix-$(CONFIG_MODULE_COMPRESS_GZIP) := .gz
suffix-$(CONFIG_MODULE_COMPRESS_XZ) := .xz
suffix-$(CONFIG_MODULE_COMPRESS_ZSTD) := .zst
modules := $(patsubst $(extmod_prefix)%, $(dst)/%$(suffix-y), $(modules))
__modinst: $(modules)
@:
#
# Installation
#
quiet_cmd_install = INSTALL $@
cmd_install = mkdir -p $(dir $@); cp $< $@
# Strip
#
# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after they
# are installed. If INSTALL_MOD_STRIP is '1', then the default option
# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be used
# as the options to the strip command.
ifdef INSTALL_MOD_STRIP
ifeq ($(INSTALL_MOD_STRIP),1)
strip-option := --strip-debug
else
strip-option := $(INSTALL_MOD_STRIP)
endif
quiet_cmd_strip = STRIP $@
cmd_strip = $(STRIP) $(strip-option) $@
else
quiet_cmd_strip =
cmd_strip = :
endif
#
# Signing
# Don't stop modules_install even if we can't sign external modules.
#
ifeq ($(CONFIG_MODULE_SIG_ALL),y)
ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
else
sig-key := $(CONFIG_MODULE_SIG_KEY)
endif
quiet_cmd_sign = SIGN $@
cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
$(if $(KBUILD_EXTMOD),|| true)
else
quiet_cmd_sign :=
cmd_sign := :
endif
ifeq ($(modules_sign_only),)
$(dst)/%.ko: $(extmod_prefix)%.ko FORCE
$(call cmd,install)
$(call cmd,strip)
$(call cmd,sign)
else
$(dst)/%.ko: FORCE
$(call cmd,sign)
endif
#
# Compression
#
quiet_cmd_gzip = GZIP $@
cmd_gzip = $(KGZIP) -n -f $<
quiet_cmd_xz = XZ $@
cmd_xz = $(XZ) --lzma2=dict=2MiB -f $<
quiet_cmd_zstd = ZSTD $@
cmd_zstd = $(ZSTD) -T0 --rm -f -q $<
$(dst)/%.ko.gz: $(dst)/%.ko FORCE
$(call cmd,gzip)
$(dst)/%.ko.xz: $(dst)/%.ko FORCE
$(call cmd,xz)
$(dst)/%.ko.zst: $(dst)/%.ko FORCE
$(call cmd,zstd)
PHONY += FORCE
FORCE:
.PHONY: $(PHONY)